How to Respond to Security Questionnaires and Win Deals

If you work in Sales or IT, you’ve had to complete a compliance questionnaire at some point.

But if it’s your first time staring at a long list of requirements with a deadline, then you might be wondering what you did to deserve this fate.

Don’t stress. You’re not alone.

Across the globe, teams of knowledge workers are dealing with the pain of security and compliance questionnaires. These can come from customers, partners, investors, and suppliers who, as part of their vendor risk management process, are required to vet any 3rd parties they work with.

And yes, these questionnaires are painful, distracting, and confusing.

We get it. Most people just want to get the process over with. But a great response can make or break your business deal.

So here are 5 rules for writing a kick-ass response to a vendor risk assessment:

Third-party risk questions are already loaded with tech jargon and complex terminology.

Long responses to these questions are a bad idea because they make it more difficult for readers to complete their assessment. Keeping your answers simple will make the assessment process faster and easier for both parties.

For example, if you’re asked, “Describe which security certifications your product meets”…

A good answer might look like this:

We meet PCI-DSS, GDPR, and SOC2 Type 2 compliance.

A poor response will take forever without getting to the point:

We meet a variety of compliance certifications that extend above and beyond the norm. These certifications demonstrate our commitment to information security standards. We meticulously adhere to the highest standards of compliance, ensuring that our operations, systems, and processes align flawlessly with the stringent requirements of PCI-DSS, GDPR, and SOC2 Type 2.

No one wants to read all that. 🤮

Keep your responses direct and to the point. You’ll be doing your reviewer a favor by making their life easier and, in turn, improving your chances of winning the deal.

This is one of the best ways to build credibility.

Third-party risk questions cover topics that range from how your product works to what type of security training you provide employees. Your answers will likely point to internal policies and documents.

Include references to those documents in your response to put weight behind your answers. This also gets you ahead of the inevitable request for more information.

Here’s a simple formula for a great response:

Adding web links, architecture diagrams, and references to company documents can only benefit you. They build credibility and make your responses look clean.

Vendor risk management is rooted in transparency. It’s not like responding to an RFP, where sales teams are known to take…creative liberties. 😅

When it comes to security and compliance, you should always put your best foot forward. That means being 100% clear, honest, and transparent about how you meet the project requirements. Sometimes you’ll fail to meet them, AND THAT’S OK.

Stop thinking that you need to respond “YES” to everything to win a deal.

If you don’t meet a requirement, offer an explanation for why and how you can make up for it in other ways. For example:

Question: Do you require a minimum of 16 character complex passwords?

Answer: No, we require a minimum length of 8 character passwords. However, we also mandate Multi-Factor Authentication (MFA) for all users.

When you don’t meet a requirement, simply responding with a “No” might make you look worse than you really do. Always take the opportunity to explain your response and position your product in the best light.

Staring at a risk management questionnaire for hours can feel like a huge waste of time.

Chances are, you’re encountering repetitive questions over and over again. What’s worse is that you’re still manually searching, researching, and writing the answers out.

Even copy-pasting can be a pain as you need to reframe answers to fit the context and phrasing of the question.

In a recent study, we found that it can take a 2-person team up to 12 hours to complete a 100-question response. This is why businesses are opting to automate the process.

Being able to generate fast responses to repetitive questions using accurate data sources can be a huge time saver. Here’s what questionnaire automation looks like with 1up:

Going beyond answer generation, 1up allows you to automate the process of completing a questionnaire. This includes:

These are critical for automating the end-to-end workflow of responding to questionnaires.

Use the response to handle objections before they come up. Every answer is an opportunity to get in front of potential pushback.

If you respond “No” or “Non-compliant” to a requirement…
Ask the customer for clarification on why the requirement is important to them. Offer an alternative for how you can help and any similar requirements that your product meets.

If you have something on the roadmap, let them know
Sometimes, you just need to “sell the roadmap.” Customers will appreciate that you’re sharing your product strategy. Letting them know about upcoming features will almost always help. The key to maintaining credibility is to not promise anything that’s too far out, or isn’t in some way demonstrable.

Include proof points to build credibility
Mention customers, deployments, and success stories wherever it makes sense.

Set traps for your competition
If you’re in a competitive deal, this would be a good time to make it harder for them. Include questions and comments in your response that your customer can ask them. Every answer you provide is an opportunity to embed the idea of something you do better than the competition in the mind of your customer.